APPENDIX 



EXEMPLARY RISK ASSESSMENT QUESTIONNAIRE 

This questionnaire is designed to assist your brokers and potential underwriters in 
assessing the emerging risks in the use of the Internet in e-commerce. It addresses potential 
legal risks (including intellectual property, invasion of privacy, theft of identity, corporate and 
contractual), technological risks (including systems security, data integrity, recovery planning in 
the event of for Internet or other outside failures), and management and operational risks. 
Underlying this questionnaire are the complementary assumptions that the better your insurers 
understand your company's risks, the better they will be able to respond with appropriate 
insurance, and the better your company understands its risks and the available insurance 
options, the more informed will be its risk management decisions. 

Upon completion of this questionnaire, you will receive a risk assessment report. This 
report will not be disclosed to any third parties and will remain privileged and confidential until 
and when you authorize its release. As part of the assessment, we will make 
recommendations, including the retention of appropriate categories of risk management 
providers. 

Company Name 

Division/Business Unit 



Address 

Address2 

City 

State Zip Code. 

Contact Name 



Email 

Phone Fax 
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Type of Organization: 

(Choose one) 
[] Individual 
[] Corporation 
[] Division 
[] Subsidiary 
[] Partnership 
[] Other 

If you are a corporation, state the year and state of your incorporation for this 
business or related business(es). 

Year: . State:_ 

Years in Business: 

(Choose one) 

11 1 

11 2-4 

11 5-8 

11 9-15 

[] 16-25 

[ ] More than 26 

Describe the major business activity/activities of the organization: 



What is the projected revenue from website / Internet activity for the next twelve 
months? 

(Choose one) 

[] Under $1 Million 

[ ] $1 million - $25 million 

[ ] $25 million - $50 million 

[] $50 million - $100 million 

[] $100 million - $500 million 

[] Over $500 Million 

[] Don't Know 

What was the actual revenue from website / Internet activity for the last twelve 
months? 

(Choose one) 

[] Under $1 Million 

[] $1 million - $25 million 

[ ] $25 million - $50 million 

[ ] $50 million - $100 million 

[ ] $100 million - $500 million 

[] Over $500 Million 

[] Don't Know 
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If you are a corporation, do you comply fully with the business corporation law of 
the state of your incorporation? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[] Not Applicable 

If you are a corporation, do you use your full corporate name on your web site? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[ ] Not Applicable 

A. Intellectual property 

1. In the past ten years, has your company been the subject of any of the 
following types of claims? (Select all that apply.) 

(Choose all that apply) 
[] Patent Infringement 
[] Trademark Infringement 
[] Copyright Infringement 
[] None of the above 
[] Don't Know 
As to any patent infringement claims, please indicate: 

a. the number of claims where the average amount of settlement/other financial 
obligation per claim was: 

2. a- Less than $10,000 

(Choose one) 
[] None 
11 1'5 
[] 6-10 
[] Over 10 
[] Don't Know 
2.a - Between $10,000 and $100,000 
(Choose one) 
[] None 

11 1-5 
[] 6-10 
[ ] Over 10 
[] Don't Know 
2.a - Between $100,000 and $1 million 
(Choose one) 
[] None 

11 1-5 
[] 6-10 
[] Over 10 
[] Don't Know 
2.a - Over $1 million 
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(Choose one) 
[] None 

11 1-5 
[] 6-10 
[] OverW 
[] Don't Know 

b. the number of claims where the approximate average attorneys fees incurred 
in the defense of the matter(s) per claim was: 

2.b~Less than $10,000 

(Choose one) 
[] None 

11 1-5 
[] 6-10 
[] Over 10 
[] Don't Know 
2.b - Between $10,000 and $100,000 
(Choose one) 
[] None 

11 1-5 
[] 6-10 
[] Over 10 
[] Don't Know 
2.b - Between $100,000 and $1 million 
(Choose one) 
[] None 

11 1-5 
[] 6-10 
[] Over 10 
[] Don't Know 
2.b - Over $1 million 
(Choose one) 
[] None 

11 1-5 
[] 6-10 
[] Over 10 
[] Don't Know 

As to any trademark infringement claims, please indicate: 

a. the number of claims where the average amount of settlement/other financial 

obligation per claim was: 



3.a-Less than $10,000 

(Choose one) 
[] None 

[] 1-5 
[] 6-10 
[] OverW 
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[] Don't Know 
3.a - Between $10,000 and $100,000 

(Choose one) 
[] None 

11 1-5 
[] 6-10 
[ ] Over 10 
[] Don't Know 
3.a - Between $100,000 and $1 million 
(Choose one) 
[] None 

11 1-5 
[] 6-10 
[] Over 10 
[] Don't Know 

3.a - Over $1 million 

(Choose one) 
[] None 

11 1-5 
[] 6-10 
[] Over 10 
[] Don't Know 

b. the number of claims where the approximate average attorneys fees incurred 
in the defense of the matter(s) per claim was: 

3.b-Less than $10,000 

(Choose one) 
[] None 

[1 1-5 
[] 6-10 
[ ] Over 10 
[] Don't Know 
3.b - Between $10,000 and $100,000 
(Choose one) 
[] None 

11 1-5 
[] 6-10 
[] Over 10 
[] Don't Know 

3.b - Between $100,000 and $1 million 

(Choose one) 
[] None 

11 1'5 
[] 6-10 
[] Over 10 
[] Don't Know 
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3. b - Over $1 million 

(Choose one) 
[] None 
11 1-5 
[] 6-10 
[] OverW 
[] Don't Know 

As to any copyright infringement claims, please indicate: 
a. the number of claims where the average amount of settlement/other 
financial obligation per claim was: 

4. a- Less than $10,000 

(Choose one) 
[] None 

11 1-5 
11 6-10 
[] OverW 
[] Don't Know 

4.a - Between $10,000 and $100,000 

(Choose one) 

[] None 

[] 1-5 

[] 6-10 

[] OverW 

[] Don't Know 
4.a - Between $100,000 and $1 million 
(Choose one) 

[] None 

11 1-5 

[] 6-10 

[] Over 10 

[] Don't Know 
4.a - Over $1 million 
(Choose one) 

[] None 

11 1'5 

[] 6-10 

[] OverW 

[] Don't Know 

b. the number of claims where the approximate average attorneys fees 
incurred in the defense of the matter(s) per claim was: 

4.b- Less than $10,000 

(Choose one) 
[] None 

11 1-5 
[] 6-10 
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[] Over 10 
[] Don't Know 

4.b - Between $10,000 and $100,000 

(Choose one) 
[] None 
[] 1-5 
[] 6-10 
[] Over 10 
[] Don't Know 

4.b - Between $100,000 and $1 million 

(Choose one) 
[] None 
[] 1-5 
[] 6-10 
[ ] Over 10 
[] Don't Know 



4. b - Over $1 million 

(Choose one) 
[] None 
[] 1-5 
[] 6-10 
[] Over 10 
[] Don't Know 

5. Within the past ten years, has your company made any of the following 
claims? (Select all that apply.) 

(Choose all that apply) 
[] Patent Infringement 
[] Trademark Infringement 
[] Copyright Infringement 
[] None of the above 
[] Don't Know 

As to any patent infringement claims, please indicate: 

a. the number of claims where the average amount of settlement/other financial 
obligation per claim was: 



6.a- Less than $10,000 

(Choose one) 
[] None 

[] 1-5 
[] 6-10 
[] Over 10 
[] Don't Know 
6.a - Between $10,000 and $100,000 
(Choose one) 
[] None 
[] 1-5 
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[] 6-10 
[] Over 10 
[] Don't Know 
6.a - Between $100,000 and $1 million 

(Choose one) 

[] None 

11 7-5 

[] 6-10 

[] Over 10 

[] Don't Know 
6.a - Over $1 million 
(Choose one) 

[] None 

11 1-5 
[] 6-10 
[] Over 10 
[] Don't Know 

b. the number of claims where the approximate average attorneys fees incurred 
in the defense of the matter(s) per claim was: 

6.b-Less than $10,000 

(Choose one) 
[] None 

11 1-5 

[] 6-10 

[] Over 10 

[] Don't Know 
6.b - Between $10,000 and $100,000 
(Choose one) 

[] None 

11 1-5 

[] 6-10 

[ ] Over 10 

[] Don't Know 
6.b - Between $100,000 and $1 million 
(Choose one) 

[] None 

11 1-5 
U 6-10 
1 1 Over 10 
11 Don't Know 
6.b - Over $1 million 
(Choose one) 
[] None 
[] 1-5 
[] 6-10 
[] Over 10 
[] Don't Know 
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As to any trademark infringement claims, please indicate: 

a. the number of claims where the average amount of settlement/other financial 

obligation per claim was: 

7.a-Less than $10,000 

(Choose one) 
[] None 

11 1-5 
[] 6-10 
[] Over 10 
[] Don't Know 

7.a - Between $10,000 and $100,000 

(Choose one) 
[] None 

11 1* 
U 6-10 
[] Over 10 
[ ] Don't Know 
7.a - Between $100,000 and $1 million 
(Choose one) 
[] None 

11 1'5 
[] 6-10 
[1 Over 10 
[] Don't Know 
7.a - Over $1 million 
(Choose one) 
[1 None 

11 1-5 
[] 6-10 
[ ] Over 10 
11 Don't Know 

b. the number of claims where the approximate average attorneys fees incurred 
in the defense of the matter(s) per claim was: 

7.b-Less than $10,000 

(Choose one) 
11 None 

11 1-5 
11 6-10 
[] Over 10 
[] Don't Know 
7.b - Between $10,000 and $100,000 
(Choose one) 
11 None 

11 1-5 
[1 6-10 
[] Over 10 
[] Don't Know 
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7.b - Between $100,000 and $1 million 

(Choose one) 
[ ] None 

11 1-5 
[] 6-10 
[] Over 10 
[] Don't Know 

7. b - Over $1 million 

(Choose one) 
[ ] None 
[] 1-5 
[] 6-10 
[] Over 10 
[] Don't Know 

As to any copyright infringement claims, please indicated 

a. the number of claims where the average amount of settlement/other financial 
obligation per claim was: 

8. a - Less than $10,000 

(Choose one) 
[] None 
[] 1'5 
11 6-10 
[] Over 10 
[] Don't Know 
8.a - Between $10,000 and $100,000 
(Choose one) 
[] None 

[] 1-5 
[] 6-10 
[] Over 10 
[] Don't Know 
8.a - Between $100,000 and $1 million 
(Choose one) 
[] None 

[] 1-5 
[] 6-10 
[ ] Over 10 
[] Don't Know 
8.a - Over $1 million 
(Choose one) 
[] None 

[] 1-5 
[] 6-10 
[] Over 10 
[] Don't Know 

b. the number of claims where the approximate average attorneys fees incurred 
in the defense of the matter(s) per claim was: 
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8.b - Less than $1 0,000 

(Choose one) 
[] None 

11 1-5 
[] 6-10 
[ ] Over 10 
[] Don't Know 

8.b - Between $10,000 and $100,000 

(Choose one) 
[] None 
[] 1-5 
[] 6-10 
[] Over 10 
[] Don't Know 
8.b - Between $100,000 and $1 million 
(Choose one) 
[] None 

11 1-5 
[] 6-10 
[] Over 10 
[] Don't Know 
8.b - Over $1 million 
(Choose one) 
[] None 

11 1-5 
H 6-10 
[ ] Over 10 
[] Don't Know 

9a. Do you have an established policy to minimize incoming claims alleging 
patent, trademark, 

and copyright infringement? 

(Choose one) 
[] Yes 
[1 No 

[] Don't Know 

9b. Do you have an established policy to minimize the potential for having to 
prosecute claims 

alleging patent, trademark, and copyright infringement? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 



B. Copyright 



Appendix 
Page 11 



1. Are your databases protected under the European Community Database 
Directive of 1966 (Counsel Directive 96-9, O.J.L 7/20/96)? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 

2. Do you contract with third parties to provide the content, programming, layout, 
or design of your website(s)? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 

3. If so, is the work produced by third parties considered "work made for hire" as 
defined by the Copyright Act of 1976? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 

4. Do you have written contracts with your employees that specifies which work 
created by them is your property and which is theirs? 

(Choose one) 
U Yes 
11 No 

[] Don't Know 

5. Have you implemented procedures to ensure that copyrighted material is not 
included in any derivative work authored by you, unless that use is authorized by 
license, assignment, or sale of rights from the copyright owner of the original work or a... 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 

6. Do you have exclusive licenses from all the other co-owners of "joint work" 
that you've co-authored claim an independent right to use? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 

C. Trademark 

1. Do you have procedures in place to ensure compliance with the 
Anticybersquatting Consumer Protection Act, Pub. L. No. 106-113, 113 Stat. 1509 (1999), 
15U.S.C. §11 25(d)? 

(Choose one) 
[] Yes 
[1 No 

[] Don't Know 
[] Not Applicable 

2. Do you have procedures in place to ensure that the registered marks of other 
companies, or marks similar to the registered marks of other companies, are not placed 
in your metatag(s)? 
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(Choose one) 
[] Yes 
[] No 

[] Don't Know 
[ ] Not Applicable 

3. Do you have legal counsel approve the metatags embedded in your 
website(s)? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[] Not Applicable 

4. Have you established procedures to ensure that your company's "keyword 
buys" don't use the trademarks of others in trademark form? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[ J Not Applicable 

5. Do you have procedures in place to ensure that your use of hyperlinks does 
not suggest approval by the owner of the linked page? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 
[ ] Not Applicable 

6. Do you have procedures in place to ensure that your company's use of framing 
on its website(s) neither obscures the identity or content of the linked Web pages nor 
suggests sponsorship or affiliation to the linked Web page? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 
[] Not Applicable 

7. Do you have procedures in place to ensure compliance with the Telemarketing 
Fraud Prevention Act of 1998, Pub. L. No. 105-184, 112 Stat. 520 (6/23/98)? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 
[] Not Applicable 

D. Patent 

1. Do you have a chat room on your company's website(s)? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
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2. Do you have a listserve on your company's website(s)? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 

3. If the answer to either of the above questions is yes, do you ask your 
subscribers to agree to terms and conditions that explicitly provide for the revision and 
other public displays of the communications, in any media known or to be developed? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 

E. Privacy 

1. Do you comply with the Electronic Communications Privacy Act of 1986, Pub. 
L. No. 99-508, 100 Stat. 1860 ("ECPA") in prohibiting the unauthorized access to or use of 
stored electronic communications such as voicemail and e-mail? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[] Not Applicable 

2. Have you set up procedures to prevent disclosure of the contents of stored 
communications in compliance with ECPA? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[] Not Applicable 

3. Have you implemented procedures to ensure that your customers are 
notified of or given an opportunity to contest in court a government entity's request for 
access to their e-mail or other stored communications in your control, or in the control of 
a provider of electronic communications services or remote computing services under 
contract with you in compliance with ECPA? 
(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[] Not Applicable 

4. Do you have procedures in place to ensure your compliance with the Computer 
Fraud and Abuse Act, 18 E.S.C. §1030? 

(Choose one) 
[] Yes 
[]No 

[J Don't Know 
[ ] Not Applicable 

5. If you're in the business of cable television, do you have procedures in place to 
ensure compliance with the Cable Communications Policy Act of 1984, 47 U.S.C. §551, in 
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particular its prohibition of the collection of personal information from your subscribers 
without their proper consent; prohibiting disclosure of such data; and informing your 
subscribers annually about the nature of personal data collected, data disclosure 
practices and subscriber rights to inspect and correct errors in such data? 

(Choose one) 
[] Yes 
[] No 

[ ] Don't Know 
[ ] Not Applicable 

6. Is your business wholly or in part engaged in the practice of assembling or 
evaluating consumer credit information or other consumer information for the purpose 
of furnishing consumer reports to third parties (a communication constitutes a 
consumer credit report generally if it bears on individuals credit worthiness, credit 
standing, credit capacity, general representation or similar characteristics)? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[] Not Applicable 

7. If the answer to the previous question is yes, have you set up procedures to 
ensure compliance with the Fair Credit Reporting Act, 15 U.S.C. §§1681 et seq.? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[ ] Not Applicable 

8. Are you familiar with, and do you have procedures in place to ensure 
compliance with, all relevant state privacy acts? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 

9. Do you have a privacy policy posted on your company's website(s)? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 

10. Do you use a "Privacy Seal" program such as those sponsored by TRUSTe 
and BBBOnLine? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 

11. If so, do you hold a current license from the organization sponsoring your 
program? 

(Choose one) 
[] Yes 
11 No 
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[] Don't Know 

12. If your website collects individually-identifying information about customers 
or other visitors to your website, do you tell them: 

12 - a how and why you collect the information? 

(Choose one) 
[] Yes 
[] No 

[ ] Don't Know 

12 - b. . . .the identity of any third parties involved in collecting the information 
for you? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 
12 - c. . . .what information is being collected? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
12 - d. . . .how the information is used? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 

12 - e. . . .if and how the information is used beyond the original purpose for 
which it was collected? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 
12 - f. . . -to whom the information is disclosed? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 

12 - g. . . .the consequences of refusing to give information? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 

12 - h. . , .that they have some choices as to the above, including an opportunity 
to have erroneous data corrected or data deleted? 

(Choose one) 
[] Yes 
UNO 

[] Don't Know 

13. Does your website collect individually-identifying information about children 
12 years of age and younger? 
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(Choose one) 
[] Yes 
11 No 

[] Don't Know 

14. If so, do you ensure that parents receive the information set out in Question 
12, including any information on file about their children, along with the opportunity to 
exercise control on behalf of their children? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 

15. Do you have procedures in place to ensure compliance with the EU Privacy 
Directive, in particular its Safe Harbor standards relating to data handling? 

(Choose one) 
[] Yes 
UNO 

[] Don't Know 

With respect to the 1999 Graham-Leach-Bliley Act (a/k/a Financial Services 
Reform Act, S.900, enacted November 12, 1999): 

16a. Have you established procedures in place to ensure that personal financial 
information, whether gathered online or offline, from your customers or from third 
parties, is not disclosed to unaffiliated third parties unless you have given your... 
(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[ ] Not Applicable 

16b. Do you have procedures in place to prevent the sale or other disclosure by 
your company of "transactions and experience" data to unaffiliated third parties? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[] Not Applicable 

16c. Do you have procedures in place to prevent the redisclosure of personal 
financial information received by third parties from financial institutions? 

(Choose one) 
11 Yes 
11 No 

[] Don't Know 
[ ] Not Applicable 

16d. Do you have procedures in place to prevent the disclosure of account 
numbers or access codes to third parties for use in telemarketing, direct mail marketing, 
or e-mail marketing? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[] Not Applicable 
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16e. Have you implemented procedures to provide your privacy policy to each of 
your customers at the time the customer relationship is established and at least annually 
for as long as the relationship lasts? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 
[ ] Not Applicable 

17. Is your privacy policy a contract between you and your customers or other 
visitors to your company's website(s)? 

(Choose one) 
[] Yes 
[]No 

[] Don't Know 

F. E-Mail 

If you offer e-mail systems to the public over which emails are transmitted wholly 
or in part, do you have procedures in place to ensure your compliance with the 
Electronic Communications Privacy Act of 1986 ("ECPA"), specifically as ECPA 
prohibits: 

1a unauthorized access of stored electronic communications? 

(Choose one) 
[] Yes 
[] No 

[ ] Don't Know 
[] Not Applicable 

1b monitoring or disclosure of the contents of stored communications as 

applicable to public service e-mail systems, messages transmitted wholly or in part over 
systems offered to the public? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 
[ ] Not Applicable 

1c obtaining access to, altering, or preventing access to an electronic 

communication while it's in storage by either intentionally accessing, without 
authorization, a facility through which electronic communication services are provided, 
or exceeding your authorization in? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 
[ ] Not Applicable 

1d disclosure of the contents of an e-mail communication, whether it's in 

transmission or storage, to any person other than the addressee or intended recipient? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[ ] Not Applicable 
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1e disclosure of transactional data to governmental entities? 

(Choose one) 
[] Yes 
11 No 

[ ] Don't Know 
[] Not Applicable 

1f access of electronically stored e-mail by service providers except for 1) 

conduct authorized by the provider of the service; 2) conduct authorized by the sender 
or recipient of the communication; and 3) conduct authorized under certain statutory 
provisions that allow law enforcement authorities to access communications pursuant to 
legal process requirements? 
(Choose one) 
[] Yes 
[]No 

[] Don't Know 
[ ] Not Applicable 

2. Have you established procedures governing your monitoring of the e-mail 
communications of your employees? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 
[ ] Not Applicable 

3. If the answer to the foregoing question is yes, are you in compliance with the 
Code of Fair Information Practices, specifically do you have procedures in place to 
ensure that: 

3 - a there is no data record-keeping practices whose existence is secret? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[ ] Not Applicable 

3 - b there is a way for an individual to find out what information about him or 

her is on record and how it's used? 

(Choose one) 
[] Yes 
11 No 

[J Don't Know 
[] Not Applicable 

3 - c there is a way for an individual to correct or amend a record of 

identifiable information about him or her? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[ ] Not Applicable 

3-d there is a way for an individual to prevent information about him or her 

that was obtained for one purpose from being used or made available for other purposes 
without his or her consent? 
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(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[ ] Not Applicable 

3 - e. . . .guaranteeing the availability of the data for its intended use and taking 
precaution to prevent its misuse? 

(Choose one) 
[] Yes 
11 No 

U Don't Know 
[] Not Applicable 

G. Encryption 

1. Do you use any encryption microcircuit products? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[] Not Applicable 

2. If so, do you use Clipper Chip or other such product? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[] Not Applicable 

3. If you use Clipper Chip or another similar microcircuit product for encryption 
purposes, are the escrow keys deposited with a federal agency? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[ ] Not Applicable 

4. Do you export encryption products? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[] Not Applicable 

5. If so, is your export in compliance with the Export Administration Regulations 
("EAR") adminis tered by the Department of Commerce Bureau of Export Administration 
("BXA")? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[ ] Not Applicable 
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H. Contracts 



1. Do you use shrink-wrap or point-and-click agreements in your business? 

(Choose one) 
[] Yes 
[1 No 

[] Don't Know 
[] Not Applicable 

If you use shrink-wrap, or point-and-click agreements in your business, do you 
have procedures in place to ensure that: 

2a. Do all communications with the other parties make conspicuous reference 
to the existence of the shrink-wrap or point-and-click agreement, stating that any 
transaction between your company and those parties is subject to the terms and 
conditions of the shrink-wrap agreement? 
(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[ ] Not Applicable 

2b. Are the terms of the shrink-wrap or point-and-click agreement conspicuously 
displayed so that the customer has the opportunity to read and understand the terms 
before consummating the transaction? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 
[] Not Applicable 

2c. Do you avoid any communication with the other party, before the shrink-wrap 
point-and-click agreement is introduced, that may be construed as constituting a pre- 
existing agreement? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 
[ ] Not Applicable 

2d. Is the shrink-wrap or point-and-click agreement written in simple language 
that can be read and understood by a non-lawyer? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[ ] Not Applicable 

2e. Do the terms of the shrink-wrap or point-and-click agreement protect your 
vital interests without being unreasonable or overreaching? 

(Choose one) 
[] Yes 
UNO 

[] Don't Know 
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[] Not Applicable 

2f. Do you direct the shrink-wrap or point-and-click packages to specific 
individuals at your institutional customers who are known by you to have the actual 
authority to bind their principals or employers? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[ ] Not Applicable 

2g. Do you include a representation and warranty in the shrink-wrap or point-and- 
click agreement to the effect that the party opening the packages is duly authorized to 
bind his or her principal employer and has adequate legal capacity to enter into binding 
agreements? 

(Choose one) 
[] Yes 
{] No 

[] Don't Know 
[] Not Applicable 

2h. When appropriate, do you implement a Master Contracting Agreement with 
customers who will be acquiring products and services on a repetitive basis? 

(Choose one) 
[] Yes 
[]No 

[] Don't Know 
[ ] Not Applicable 

2i. Do your shrink-wrap or point-and-click agreements advise customers that they're 
entitled, within a reasonable time from the date of purchase, to return the product for a refund if 
they don't agree to the terms of the shrink-wrap or point-and-click license? 
(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[ ] Not Applicable 

3. Do you have procedures in place to ensure your compliance with the 
Electronic Funds Transfer Act of 1978, 15 U.S.C. §§1 693-1 693p (1988)? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 
[ ] Not Applicable 

4. Do you have procedures in place to ensure that consumers have affirmatively 
consented to the use of electronic records and are informed of procedures for 
withdrawing consent? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 
[] Not Applicable 

5. Do you use contracts, either online or hard copy, or both, to document Internet 
transactions with your customers? 
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(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[ ] Not Applicable 



6. If you conduct business on the Internet in any country outside the United 
States, have you taken steps to limit your contractual liability in such country or 
countries? 

(Choose one) 



L Credit Cards 

1. Do you offer goods or services for sale over the Internet? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 
[ ] Not Applicable 

2. Do you accept payment by credit card for Internet sales, or in any other way 
acquire credit card information from consumers or businesses? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[ ] Not Applicable 

3. Do you store acquired customer credit card information in your computer 
system(s)? 

(Choose one) 
[] Yes 
l]No 

[] Don't Know 

4. Do you keep the acquired customer credit card information in encrypted form? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 

5. Do you outsource the storage of acquired customer credit card information? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 

6. Have you taken any steps to ensure that outsourced customer credit card 
information is protected from inappropriate use and disclosure? 



[] 
11 
11 
11 



Yes 
No 

Don't Know 
Not Applicable 



(Choose one) 
[] Yes 
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[] No 

[] Don't Know 
J. Data Protection 

1. Do you have some form of an uninterruptible power supply device to ensure 
continuous power to your data center in the event of a power failure? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[] Not Applicable 

2. Do you have a secondary power route into your data center to ensure that 
continuous power is available to your data center? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[] Not Applicable 

3. Do you have an emergency generator to ensure that continuous power is 
available to your data center? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 
[ ] Not Applicable 

4. Do you maintain a "hot site" that's essentially a redundant data center? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[ ] Not Applicable 

5. Do you have a "warm site" available to your company during an emergency? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[ ] Not Applicable 

6. Do you routinely make tape back-ups of the data on your computer disk drives 
and store the tapes off site? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[ ] Not Applicable 

7. Do you use a disk drive configuration that distributes data among multiple 
drives to prevent data loss if a particular drive fails? 

(Choose one) 
[] Yes 
11 No 
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[] Don't Know 
[ ] Not Applicable 

8. Have you installed software that alerts your computer technicians when 
various computer components are at risk of failing? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[] Not Applicable 

9. When disposing of any of your personal computers, whether by trade-in, sale, 
or other means, do you data-wipe each personal computer according to U.S. Department 
of Defense Standard 5520.22-M? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 
[] Not Applicable 



K. Environmental concerns 

1. Do you dispose of any personal computers in a way in which any of them 
might be exposed to the environment, for instance in a landfill? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 
[ ] Not Applicable 

2. If so, do you take precautions to ensure that any hazardous substance in each 
personal computer disposed of are removed before the personal computer is introduced 
to the environment? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
[ ] Not Applicable 

L. Network Management 

1. Who is responsible for the management of your internal network? 

(Choose one) 

[ ] Employees of your company 
[ ] A third party Outsourcing firm 
[] Hybrid combination 
[] Don't Know 

2. Who is responsible for the maintenance of your network hardware? 

(Choose one) 

[] Employees of your company 
[ ] A third party Outsourcing firm 
[] Hybrid combination 
[] Don't Know 

3. Who is responsible for the development and maintenance of your network 
software? 
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(Choose one) 

[ ] Employees of your company 
[ ] A third party Outsourcing firm 
[] Hybrid combination 
[ ] Don't Know 

4. Does your internal network reside on the Internet? 

(Choose one) 
[] Yes 
[] No 
[] Partially 
[] Don't Know 

5. How many nodes are there on your internal network? (A node can be a 
computer or other device, such as a printer or scanner.) 

(Choose one) 
[] One 
[] 2-10 
[] 11-100 
[] 101-1,000 
[] 1,001-10,000 
[ ] More than 10,000 
[] Don't Know 

6. How many different operating systems does your company use? (This includes 
the operating systems on your mainframes, midrange computers, servers, 
workstations, PCs, notebooks, handhelds, and so on.) 

(Choose one) 
[] One 
11 2 
11 3 
[] 4 

[] 5 or More 
[] Don't Know 

7. How many gateways to external networks does your internal network have? (A 
gateway is a combination of hardware and software that links two different types of 
networks.) 

(Choose one) 
[] One 
[] 2-10 
[] 11-100 
[] 101-1,000 
[] 1,001-10,000 
[ ] More than 10,000 
[] Don't Know 

M. Network Access 

1. Do you use firewalls to protect against unauthorized access to your internal 
network? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 
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2. Is your firewall hardware, software, or both? 

(Choose one) 
[] Hardware 
[] Software 
[ ] Both 
[] Don't Know 

3. Do you allow remote access to your network? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 

4. If so, to whom? (Select all that apply.) 

(Choose all that apply) 
[] Top Level Managers 
[ ] Select Employees 
[] All Employees 
[] Vendors 
[] Suppliers 
[] Anyone 
[] Don't Know 

5. How is remote access obtained? (Select all that apply.) 

(Choose all that apply) 

[ ] Dial in direct phone line 

[] Internet 

[] Callback 

[] 3f d Party Service 

[] Don't Know 

6. How is the management of user names and passwords handled at your 
company? 

(Choose one) 

[ ] One Centralized department for entire organization 

[] One department for each operating system 

[] Individual departments are responsible for password management 

[] Don't Know 

7. Does your company mandate frequent password changes? 

(Choose one) 

[ ] Yes, strictly enforced with automated reminders 
[] Yes, but up to individual to initiate the change 
[] No 

[] Don't Know 

8. How many people have access to your password database? 

(Choose one) 
[] One 
[] 2-10 
[] 11-100 
[] 101-1,000 
I] 1 ,001-10,000 
[] More than 10,000 
[ ] Don't Know 

9. Is your password information encrypted? 
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(Choose one) 
[] Yes 
[] No 

[ ] Don't Know 

N. External Networks 

1 . Does your internal network interface with any external networks? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 

2. How many different external networks does your internal network interface 

with? 

(Choose one) 
[] One 
[] 2-10 
[] 11-100 
[] 101-1,000 
[ ] More than 1,000 
[] Don't Know 

3. With which type(s) of external networks does your internal network interface? 

(Choose one) 

[] Generic Internet 

[] Restricted Internet 

[ ] Proprietary Industry Networks 

[] Proprietary customer Networks 

[] Proprietary supplier Networks 

[] Don't Know 

4. How are these interfaces enabled? 

(Choose one) 
[] Direct feed 
[] Phone line 
[] Internet 
[] WAN 
[] Don't Know 

5. What kind of access exists between your internal network and external 
networks? 

(Choose one) 

[] We send data to external networks only 

[] We receive data from external networks 

[ J We both send to and receive data from external networks 

[] Don't Know 

6. How is external access from your internal network controlled? 

(Choose one) 

[] Single point of control 

[] Multiple levels of control (departmental, LAN, local user, etc.) 

[] None 

[] Don t Know 

7. What access controls are used? (Select all that apply.) 

(Choose all that apply) 
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[ ] Specific password access 
[] Specific network access 
[] User level Ids 
[] Transaction monitoring 
[] Encryption 

[] Transaction history reviews 
[] Don't Know 

O. Data Management & Access 

1. Are your internal transactions encrypted? 

(Choose one) 
[] Yes 
[] Some 
[] No 

[] Don't Know 

2. Are your internal transactions password protected? 

(Choose one) 
[] Yes 
[] Some 
11 No 

[] Don't Know 

3. Are your external transactions encrypted? 

(Choose one) 
[] Yes 
[] Some 
[] No 

[] Don't Know 

4. Are your external transactions password protected? 

(Choose one) 
[] Yes 
[] Some 
UNO 

[ ] Don't Know 



5. Are your customer, product, supplier, and financial files encrypted? 

(Choose one) 
[] Yes 
[] Some 
[] No 

[] Don't Know 

6. Are your customer, product, supplier, and financial files password protected? 

(Choose one) 
[] Yes 
[] Some 
[] No 

[] Don't Know 

7. Do you have critical files in a read-only mode? 

(Choose one) 
[] Yes 
[] Some 
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[] No 

[] Don't Know 

8. Do you collect sensitive client information such as credit card data and 
personal data on age, 

address, and the like? 

(Choose one) 
[] Yes 
I] No 

[] Don't Know 

9. How do you protect such information? 

(Choose one) 
[] Encrypt 
[] Readonly 
[] Password protected 
[ ] Restricted access 
[] Don't Know 

10. Do you provide such information to external personnel or organizations? 

(Choose one) 
[] Yes 
UNo 

[ ] Don't Know 

P. Viruses 

1 . What virus protection software do you use? 

(Choose one) 
[] None 
[] Norton 
[] McAfee 
[] Homegrown 
[] Don't Know 
[] Other 

2. How is your anti-virus program administered? 

(Choose one) 

[] One central location 
[] Multiple levels 
[] Individual responsibility 
[] Don't Know 

3. Which parts of your system are protected by anti-virus software? (Select all 
that apply.) 

(Choose all that apply) 
[] Mainframes 
[ ] Mid range processors 
[] Servers 
[] Workstations 
[] PC's and laptops 
[] Don't know 

4. How often do you update your virus protection software? 

(Choose one) 

[] Regular scheduled basis 
[] As needed 
[] Up to individual 
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[] Don't Know 

5. Do you perform audits to determine compliance with your anti-virus 
procedures? 

(Choose one) 
[] Yes 
11 No 

[ '] Don't Know 

6. If so, how do you schedule these audits? 

(Choose one) 

[ ] Regular scheduled basis 
l) As needed 
[] Up to individual 
[] Don't Know 

Q. Management 

1. Do you have a chief information officer, or equivalent, charged with selecting, 
implementing, operating, and training employees on your information technology 
systems and applications? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 

2. What is the annual turnover rate among your IT personnel? 

(Choose one) 
I] 0-5% 
[] 6- 15% 
[] 16-25% 
[] Over 26% 
[] Don't Know 

3. Do you require formal training of some kind for your IT personnel on new and 
existing operating systems and applications and your Internet policies and procedures? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 

3a. If the answer to Q3 is yes, how many days per year per IT employee do you 
allot for this training? 

(Choose one) 
[] 2 or Less 
11 3-5 
[] 6-10 
[] 11 or More 
[] Don't Know 

4. Are those of your employees who have contact with the public, on the Internet 
or otherwise, 

trained in the details and implementation of your privacy policy? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 
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[] Not Applicable 

4a. If the answer to Q4 is yes, how many days per year per employee, for those 
who interact with the public, do you allot for this training? 

(Choose one) 
[] 2 or Less 
[] 3-5 
[] 6 or More 
[] Don't Know 

4b. If the answer to Q4 is yes, do you regularly check the adequacy of the 
employee training related to your privacy policy? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 

5. Do you have a current business plan or model? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 

6. If the answer to Q5 is yes, how often do you update your business plan or 
model to accommodate new technology, changing customer preferences, and 
competitors' initiatives? 

(Choose one) 

[ ] Twice a Year 

[] Once a year or greater 

[] Never 

[] Don't Know 

7. Do you use operational and business measures of performance and business 
activity to follow your e-commerce activity and performance? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 

8. Do you use benchmarks of your e-commerce competitors' perfomance to 
monitor and compare your own performance? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 

R. Disaster Recovery 

1. Does your company have a disaster recovery plan? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 

2. Are your e-commerce operations and transaction processing capabilities 
included in the plan? 

(Choose one) 
[] Yes 
[1 No 
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[] Don't Know 

The following questions apply to the e-commerce section of your organizations 
disaster recovery plan. 

3. How often is the e-commerce section of your disaster recovery plan updated? 

(Choose one) 
[] Quarterly 
[] Annually 

[] Less frequently than annually 
[] Don't Know 

4. How often is the e-commerce transaction processing capabilities section of 
your disaster recovery plan tested? 

(Choose one) 
[] Quarterly 
[] Annually 

[] Less frequently than annually 
[] Don't Know 

5. Are your off-site disaster recovery tests conducted at alternate locations? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 

6. Do the tests include use of your backed-up files for programs and utilities as 
well as data? 

(Choose one) 
[] Yes 
UNO 

[] Don't Know 

7. Do the tests include use of alternate networks? 

(Choose one) 
[] Yes 
11 No 

[] Don't Know 

8. Do the tests process a structured sample of your e-commerce transactions? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 

9. Do the tests use new or untrained staff to process transactions using your 
back-up documentation? 

(Choose one) 
[] Yes 
[] No 

[] Don't Know 
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